Fedramp ITCP Template

IT Contingency Plan

<Information System Name>, <Date>

Information Technology Contingency Plan (Template)

<Vendor>

<Information System Name>

Version 1.0

May 2, 2012

Proprietary and Confidential

For Authorized Use Only

IT Contingency Plan

<Information System Name>, <Date>

Information Technology Contingency Plan

Prepared by

Identification of Organization that Prepared this Document /
insert logo / Organization Name
Street Address
Suite/Room/Building
City, State Zip

Prepared for

Identification of Cloud Service Provider /
insert logo / Organization Name
Street Address
Suite/Room/Building
City, State Zip

Executive Summary

This document supports Information Technology (IT) Contingency Plan requirements for the Federal Risk and Authorization Management Program (FedRAMP) and contains the IT Contingency Plan for the <Information System Name. An IT Contingency Plan denotes interim measures to recover IT services following an unprecedented emergency or system disruption. Interim measures include the relocation of IT systems and services to an alternate site or the recovery of IT functions using alternate equipment at the primary site.

Document Revision History

Date / Version / Description / Author
5/2/2012 / 1.0 / Document Published / FedRAMP Office

Company Sensitive and Proprietary Page 13

IT Contingency Plan

<Information System Name>, <Date>

Table of Contents

About this document 9

Who should use this document? 9

How this document is organized 9

Conventions used in this document 9

How to contact us 10

Contingency Plan Approvals 11

1. Introduction and purpose 12

1.1 Applicable Laws and Regulations 12

1.2 Applicable Standards and Guidance 12

1.3 Information System Name and Identifier 13

1.4 Scope 13

1.5 Assumptions 14

2. Concept of Operations 14

2.1 System Description 14

2.2 Three Phases 14

2.3 Data Backup Readiness Information 15

2.4 Site Readiness Information 17

2.5 Roles and Responsibilities 17

2.3.1. Contingency Planning Director (CPD) 18

2.3.2. Contingency Planning Coordinator (CPC) 18

2.3.3. Outage and Damage Assessment Lead (ODAL) 19

2.3.4. Hardware Recovery Team 19

2.3.5. Software Recovery Team 19

2.3.6. Telecommunications Team 20

2.3.7. Procurement and Logistics Coordinator (PLC) 20

2.3.8. Security Coordinator 20

2.3.9. Plan Distribution and Availability 21

2.3.10. Line of Succession/Alternates Roles 21

3. Activation and Notification 21

3.1 Activation Criteria and Procedure 22

3.2 Notification Instructions 22

3.3 Outage Assessment 22

4. Recovery 23

4.1 Sequence of Recovery Operations 23

4.2 Recovery Procedures 23

4.3 Recovery Escalation Notices/Awareness 23

5. Reconstitution 24

5.1 Data Validation Testing 24

5.2 Functional Validation Testing 24

5.3 Recovery Declaration 24

5.4 User Notification 24

5.5 Cleanup 25

5.6 Returning Backup Media 25

5.7 Backing Up Restored Systems 25

5.8 Event Documentation 25

6. Contingency Plan Testing 26

APPENDIX A KEY PERSONNEL AND TEAM MEMBERS CONTACT LIST 27

APPENDIX B VENDOR CONTACT LIST 28

APPENDIX C.1 ALTERNATE STORAGE SITE INFORMATION 29

APPENDIX C.2 ALTERNATE PROCESSING SITE INFORMATION 30

APPENDIX C.3 ALTERNATE TELECOMMUNICATIONS PROVISIONS 31

APPENDIX D ALTERNATE PROCESSING PROCEDURES 32

APPENDIX E SYSTEM VALIDATION TEST PLAN 33

APPENDIX F CONTINGENCY PLAN TEST REPORT 34

APPENDIX G DIAGRAMS 35

APPENDIX H HARDWARE AND SOFTWARE INVENTORY 36

APPENDIX I SYSTEM INTERCONNECTIONS 37

APPENDIX J TEST AND MAINTENANCE SCHEDULE 38

APPENDIX K ASSOCIATED PLANS AND PROCEDURES 39

APPENDIX L BUSINESS IMPACT ANALYSIS 40

List of Tables

Table 3-1. Information System Name and Title 13

Table 2-1. Backup Types 15

Table 2-3. Backup System Components 16

Table 2-4. Alternate Site Types 17

Table 2-5. Primary and Alternate Site Locations 17

Table 6-1. Personnel Authorized to Activate the ITCP 22

Table 5-2. Cleanup Roles and Responsibilities 24

Table 5-3. Event Documentation Reponsibility 25

List of Figures

No table of figures entries found.

About this document

This document has been developed to provide guidance on how to participate in and understand the FedRAMP program.

Who should use this document?

This document is intended to be used by Cloud Service Providers (CSPs), Third Party Assessor Organizations (3PAOs), government contractors working on FedRAMP projects, government employees working on FedRAMP projects, and any outside organizations that want to make use of the FedRAMP Contingency Planning process.

How this document is organized

This document is divided into ten sections. Most sections include subsections.

Section 1 describes the introduction section which orients the reader to the type and location of information contained in the plan.

Section 2 describes concept of operations and provides additional details about the information system, the three phases of the contingency plan (Activation and Notification, Recovery, and Reconstitution), and a description of the information system contingency plan roles and responsibilities.

Section 3 describes the Activation and Notification Phase and defines initial actions taken once a system disruption or outage has been detected or appears to be imminent. This phase includes activities to notify recovery personnel, conduct an outage assessment, and activate the plan.

Section 4 describes the Recovery Phase activities and focuses on implementing recovery strategies to restore system capabilities, repair damage, and resume operational capabilities at the original or new alternate location.

Section 5 describes the Reconstitution Phase which is the third and final phase of ITCP implementation and defines the actions taken to test and validate system capability and functionality.

Section 6 describes how the ITCP Test Plan.

Conventions used in this document

This document uses the following typographical conventions:

Italic

Italics are used for email addresses, security control assignments parameters, and formal document names.

Italic blue in a box

Italic blue text in a blue box indicates instructions to the individual filling out the template.

Bold

Bold text indicates a parameter or an additional requirement.

Constant width

Constant width text is used for text that is representative of characters that would show up on a computer screen.

Brackets

Bold blue text in brackets indicates text that should be replaced with user-defined values. Once the text has been replaced, the brackets should be removed.

Notes

Notes are found between parallel lines and include additional information that may be helpful to the users of this template.

Note: This is a note.

Sans Serif

Sans Serif text is used for tables, table captions, figure captions, and table of contents.

How to contact us

If you have questions about FedRAMP or something in this document, please write to:

For more information about the FedRAMP project, please see the website at:

http://www.fedramp.gov.

Contingency Plan Approvals

x / x
Name Date
Title System Owner
Cloud Service Provider / Name Date
Title> System Owner
Cloud Service Provider
x / x
Name Date
Title System Owner
Cloud Service Provider / Name Date
FedRAMP Authorizing Official

1.  Introduction and purpose

Information systems are vital to <Cloud Service Provider> mission/business functions; therefore, it is critical that services provided by <Information System Name> are able to operate effectively without excessive interruption. This Information Technology Contingency Plan (ITCP) establishes comprehensive procedures to recover <Information System Name> quickly and effectively following a service disruption.

One of the goals of an IT Contingency Plan is to establish procedures and mechanisms that obviate the need to resort to performing IT functions using manual methods. If manual methods are the only alternative; however, every effort should be made to continue IT functions and processes manually.

The nature of unprecedented disruptions can create confusion, and often predisposes an otherwise competent IT staff towards less efficient practices. In order to maintain a normal level of efficiency, it is important to decrease real-time process engineering by documenting notification and activation guidelines and procedures, recovery guidelines and procedures, and reconstitution guidelines and procedures prior to the occurrence of a disruption. During the notification/activation phase, appropriate personnel are apprised of current conditions and damage assessment begins. During the recovery phase, appropriate personnel take a course of action to recover the <Information System Name> components a site other than the one that experienced the disruption. In the final, reconstitution phase, actions are taken to restore IT system processing capabilities to normal operations.

1.1  Applicable Laws and Regulations

The following laws and regulations are applicable to contingency planning:

·  Federal Information Security Management Act (FISMA) of 2002 [Title III, PL 107-347]

·  Management of Federal Information Resources [OMB Circular A-130]

·  Records Management by Federal Agencies [44 USC 31]

1.2  Applicable Standards and Guidance

The following standards and guidance are useful for understanding contingency planning:

·  Computer Security Incident Handling Guide [NIST SP 800—61, Revision 1]

·  Contingency Planning Guide for Federal Information Systems [NIST SP 800-34, Revision 1]

·  Guide for Developing the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach [NIST SP 800-37, Revision 1]

·  Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities [NIST SP 800-84]

·  Information Security Continuous Monitoring for Federal Information Systems and Organizations [NIST SP 800-137]

·  Recommended Security Controls for Federal Information Systems [NIST SP 800-53, Revision 3]

·  Risk Management Guide for Information Technology Systems [NIST SP 800-30]

·  Technical Guide to Information Security Testing and Assessment [NIST SP 800-115]

1.3  Information System Name and Identifier

This ITCP applies to the <Information System Name which has a unique identifier as noted in Table 3-1.

Table 3-1. Information System Name and Title

Unique Identifier / Information System Name / Information System Abbreviation

1.4  Scope

This ITCP has been developed for <Information System Name> which is classified as a moderate-impact system, in accordance with Federal Information Processing Standards (FIPS) 199. FIPS 199 provides guidelines on determining potential impact to organizational operations and assets, and individuals through a formula that examines three security objectives: confidentiality, integrity, and availability. The procedures in this ITCP have been developed for a moderate-impact system and are designed to recover the <Information System Name> within <Recovery Time Objective (RTO) hours>. The replacement or purchase of new equipment, short-term disruptions lasting less than <RTO hours>, or loss of data at the primary facility or at the user-desktop levels is outside the scope of this plan.

Note: Recovery Time Objective (RTO) defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources and supported mission/business processes.

This ITCP does not apply to the following situations:

Overall recovery and continuity of mission/business operations. The Business

Continuity Plan (BCP) and Continuity of Operations Plan (COOP) address continuity of business operations.

Emergency evacuation of personnel. The Occupant Emergency Plan (OEP) addresses employee evacuation.

1.5  Assumptions

The following assumptions have been made about the <Information System Name>:

·  The Uninterruptable Power Supply (UPS) will keep the system up and running for <total number of seconds/minutes>

·  The generators will kick in after <total number of seconds/minutes> from time of a power failure

·  Current backups of the application software and data are intact and available at the offsite storage facility in <City, State>

·  The backup storage capability is approved and has been accepted by the JAB

·  The <Information System Name> is inoperable if it cannot be recovered within <RTO hours>

·  Key personnel have been identified and are trained annually in their roles

·  Key personnel are available to activate the ITCP

·  <Cloud Service Provider> defines circumstances that can inhibit recovery and

reconstitution to a known state

2.  Concept of Operations

This section provides details about the <Information System Name>, an overview of the three phases of the ITCP (Activation and Notification, Recovery, and Reconstitution), and a description of the roles and responsibilities of key personnel during contingency operations.

2.1  System Description

2.2  Three Phases

This plan has been developed to recover and reconstitute the <Information System Name> using a three-phased approach. The approach ensures that system recovery and reconstitution efforts are performed in a methodical sequence to maximize the effectiveness of the recovery and reconstitution efforts and minimize system outage time due to errors and omissions. The three system recovery phases consist of activation and notification, recovery, and reconstitution.

Activation and Notification Phase. Activation of the ITCP occurs after a disruption, outage, or disaster that may reasonably extend beyond the RTO established for a system. The outage event may result in severe damage to the facility that houses the system, severe damage or loss of equipment, or other damage that typically results in long-term loss.

Once the ITCP is activated, the information system stakeholders are notified of a possible long-term outage, and a thorough outage assessment is performed for the information system. Information from the outage assessment is analyzed and may be used to modify recovery procedures specific to the cause of the outage.

Recovery Phase. The Recovery phase details the activities and procedures for recovery of the affected system. Activities and procedures are written at a level such that an appropriately skilled technician can recover the system without intimate system knowledge. This phase includes notification and awareness escalation procedures for communication of recovery status to system stakeholders.

Reconstitution. The Reconstitution phase defines the actions taken to test and validate system capability and functionality at the original or new permanent location. This phase consists of two major activities: validating data and operational functionality followed by deactivation of the plan.

During validation, the system is tested and validated as operational prior to returning operation to its normal state. Validation procedures include functionality or regression testing, concurrent processing, and/or data validation. The system is declared recovered and operational by upon successful completion of validation testing.

Deactivation includes activities to notify users of system operational status. This phase also addresses recovery effort documentation, activity log finalization, incorporation of lessons learned into plan updates, and readying resources for any future events.

2.3  Data Backup Readiness Information

A common understanding of data backup definitions is necessary in order to ensure that data restoration is successful. <Cloud Service Provider> recognizes different types of backups which have different purposes and those definitions are found in Table 2-1.

Table 2-1. Backup Types